CVE-2016-10029 Qemu CVE debrief

Who should care

Teams running QEMU with Virtio GPU device emulation, especially in environments that execute untrusted or semi-trusted guest code and care about host process availability.

Technical summary

The vulnerable path is virtio_gpu_set_scanout. According to NVD, a local guest OS user can supply a scanout id larger than num_scanouts in VIRTIO_GPU_CMD_SET_SCANOUT, causing an out-of-bounds read (CWE-125) and a process crash. NVD lists affected QEMU versions through 2.6.2 and assigns CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, reflecting a low-privilege, local-triggered availability impact.

Defensive priority

Medium. The issue needs local guest access and primarily affects availability, but it can terminate the QEMU process and disrupt workloads running on the affected host.

Recommended defensive actions

• Upgrade QEMU to a version that includes the fix referenced by the supplied QEMU commits and advisory posts.
• If immediate upgrading is not possible, disable or avoid exposing Virtio GPU device emulation to guests that do not require it.
• Treat guest input to virtualization device emulators as untrusted and review any surrounding bounds checks in related code paths.
• Validate that your deployed QEMU builds are not in the NVD-listed vulnerable range through 2.6.2.

Evidence notes

The supplied NVD record states that virtio_gpu_set_scanout in QEMU with Virtio GPU support allows a local guest OS user to trigger an out-of-bounds read and process crash via a scanout id larger than num_scanouts in VIRTIO_GPU_CMD_SET_SCANOUT. The NVD entry also lists CWE-125, CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and vulnerable QEMU versions through 2.6.2. The supplied references include two QEMU git commits and two oss-security mailing list posts dated 2016-12-20 and 2016-12-22.

Official resources